bluebubbles: harden local media path handling against LFI (#16322)

* bluebubbles: harden local media path handling * bluebubbles: remove racy post-open symlink lstat * fix: bluebubbles mediaLocalRoots docs + typing fix (#16322) (thanks @mbelinky)
2026-05-06 21:21:38 +00:00 · 2026-02-14 17:43:44 +00:00
parent bfa7d21e99
commit 71f357d949
7 changed files with 417 additions and 8 deletions
--- a/src/config/zod-schema.providers-core.ts
+++ b/src/config/zod-schema.providers-core.ts
@@ -874,6 +874,7 @@ export const BlueBubblesAccountSchemaBase = z
    textChunkLimit: z.number().int().positive().optional(),
    chunkMode: z.enum(["length", "newline"]).optional(),
    mediaMaxMb: z.number().int().positive().optional(),
+    mediaLocalRoots: z.array(z.string()).optional(),
    sendReadReceipts: z.boolean().optional(),
    blockStreaming: z.boolean().optional(),
    blockStreamingCoalesce: BlockStreamingCoalesceSchema.optional(),